如何在php中从bcrypt哈希密码中提取盐？

Question

My database stores the bcrypt passwords which means that the salt should be stored with in the password field. I don't want to make a separate field to store the salt by itself when it is not necessary. However when I want to compare passwords that the user sends to me to the passwords stored in the database, I need to hash the incoming password with the same salt. Question: what part of the stored hash is the salt? I think I could just return the salt using simple substr().

// password stored in database.
$user->password_hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 13));


// password from form being compared to form password

$form_password_hash = password_hash($data['form-password'], PASSWORD_BCRYPT, array('cost' => 13));

if($user->getPasswordHash() == $form_password_hash)
{
    $user->setPassword($data['new-password']);
    return new Response("Your password has been changed");
}

Answer 1

You need to use the password_verify function. This function will parse the hashed password string to find the salt and perform the calculation.

if (password_verify($data['form-password'], $user->getPasswordHash())) {
    echo 'Password is correct';
}

Answer 2

Salt is the first 22 characters after the third $ in the hash:

$2y$13$<this is the salt, 22 chars><this is the password hash>

But you should not manually extract the salt to verify the password - use the password_verify function . It takes the password the user entered as the first argument, and the complete hash as the second argument, and handles the salt correctly.